Auditing Information Systems Process

Mohammad Tohidur Rahman Bhuiyan
CGEIT,CISA,A+,MCSD,ISMS,CSCF
MohammadTohidurRahmanBhuiyan
CGEIT,CISA,MCSD,A+,CSCF
TheProcessofAuditing
InformationSystems
Outof05Domains,it
covers14%
Introduction
CourseAgenda
LearningObjectives
DiscussTaskandKnowledgeStatements
Discussspecifictopicswithinthechapter
Casestudies(individualPracticefollowCRM)
Samplequestions(individualPracticefollowCRM)
ExamRelevance
Ensurethat theCISA candidate
Provide audit services in accordance with IT audit standards to
assist theorganizationinprotectingandcontrollinginformationsystems.
The content area in this chapter will represent approximately
14%of theCISA examination(approximately28questions).
(CRM Pages: XX
Up to 2010 From 2011
Task& KnowledgeStatements
Task and knowledge statements represent the basis
fromwhichexamitemsarewritten.
Tasks: Tasks are the learning objectives that IS
auditors/CISA candidates are expected to know to
performtheir jobduties.
knowledge statements: In order to performall of the
tasks, theISauditor/CISA candidateshouldhaveafirm
graspof all theknowledgestatements containedwithin
theCISA ReviewManual Chapter 1.
Tasks/ Objectives
ProcessAreaTasks
FiveTasks:
1.1 Develop and implement a riskbased IT audit strategy in
compliance with IT audit standards to ensure that key areas are
included.
1.2 Plan specific audits to determine whether information systems
are protected, controlled and provide value to the organization.
1.3 Conduct audits in accordance with IS audit standards, guidelines
and best practices to meet planned audit objectives.
1.4 Communicate emerging issues, potential risks, and audit results
to key stakeholders.
1.5 Advise on the implementation of risk management and control
practices within the organization, while maintaining independence.
Knowledge Statements
ProcessAreaKnowledgeStatements
TenKnowledgeStatements(contd.):
1.1 Knowledge of ISACA IT Audit and Assurance Standards,
Guidelines and Tools and Techniques, Code of Professional Ethics
and other applicable standards
1.2 Knowledge of risk assessment concepts, tools and techniques
in an audit context
1.3 Knowledge of control objectives and controls related to
information systems
1.4 Knowledge of audit planning and audit project management
techniques, including followup
1.5 Knowledge of fundamental business processes (e.g.,
purchasing, payroll, accounts payable, accounts receivable)
including relevant IT
ProcessAreaKnowledgeStatements.
Ten Knowledge Statements
1.6 Knowledge of applicable laws and regulations which affect the
scope, evidence collection and preservation, and frequency of
audits
1.7 Knowledge of evidence collection techniques (e.g.,
observation, inquiry, inspection, interview, data analysis) used to
gather, protect and preserve audit evidence
1.8 Knowledge of different sampling methodologies
1.9 Knowledge of reporting and communication techniques (e.g.,
facilitation, negotiation, conflict resolution, audit report
Structure)
1.10 Knowledge of audit quality assurance systems and
frameworks
OrganizationofISAuditFunction
Audit charter (or engagement letter)
Stating managements responsibility and objectives for, and
delegation of authority to, the IS audit function
Outlining the overall authority, scope and responsibilities of
the audit function
Approval of the audit charter
Change in the audit charter
AuditPlanning
Audit planning
Shorttermplanning
Longtermplanning
Thingstoconsider
Newcontrol issues
Changingtechnologies
Changingbusinessprocesses
Enhancedevaluationtechniques
Individual audit planning
Understandingofoverallenvironment
Businesspracticesandfunctions
Informationsystemsandtechnology
AuditPlanning
Audit Planning Steps
1. Gain an understanding of the businesss mission, objectives,
purpose and processes.
2. Identify stated contents (policies, standards, guidelines,
procedures, and organization structure)
3. Evaluate risk assessment and privacy impact analysis
4. Performa risk analysis.
5. Conduct an internal control review.
6. Set the audit scope and audit objectives.
7. Develop the audit approach or audit strategy.
8. Assign personnel resources to audit and address engagement
logistics.
EffectofLawsandRegulations(continued)
Regulatoryrequirements
Establishment
Organization
Responsibilities
Correlationtofinancial,operationalandIT
auditfunctions
EffectofLawsandRegulations
Stepstodeterminecompliancewithexternal
requirements:
Identify external requirements
Document pertinent laws and regulations
Assess whether management and the IS function have considered the
relevant external requirements
Review internal IS department documents that address adherence to
applicable laws
Determine adherence to established procedures
ISACAISAuditingStandardsandGuidelines
FrameworkfortheISACAISAuditingStandards
asof1March2010
Standards(16)
Guidelines41(G19iscancelled)
Procedures(11)
Definition:Standards,Guidelines&Procedure
Standards define mandatory requirements for IT audit
and assurance.
Guidelines provide guidance in applying IT Audit and
Assurance Standards. The objective of the IT Audit and
Assurance Guidelines is to provide further information on
how to comply with the IT Audit and Assurance Standards.
Procedure/ Tools and Techniques provide examples of
procedures an IT audit and assurance professional might
follow. The objective of the IT Audit and Assurance Tools
and Techniques is to provide further information on how
to comply with the IT Audit and Assurance Standards.
ISAuditing Standards:16
1. Audit charter
2. Independence
3. Professional Ethics and
Standards
4. Competence
5. Planning
6. Performance of audit work
7. Reporting
8. Follow-up activities
9. Irregularities and illegal acts
10.IT governance
11.Use of risk assessment in audit
planning
12.Audit Materiality
13.Using the Work of Other Experts
14.Audit Evidence
15.IT Controls
16.E-commerce
ISACAISAuditingStandardsandGuidelines(continued)
G1UsingtheWorkof OtherAuditors
G2Audit EvidenceRequirement
G3Useof Computer AssistedAudit Techniques(CAATs)
G4Outsourcingof ISActivitiestoOther Organizations
G5Audit Charter
G6MaterialityConceptsforAuditingInformationSystems1September
G7DueProfessional Care
G8Audit Documentation
G9Audit Considerationsfor IrregularitiesandIllegal Acts
G10Audit Sampling
G11Effect of PervasiveISControls
G12Organizational RelationshipandIndependence
G13Useof RiskAssessment inAudit Planning
G14ApplicationSystemsReview
G15Audit PlanningRevised
ISAuditing Guidelines:41(421=41, G19is cancelled)
G16Effect of ThirdPartiesonanOrganization'sIT Controls
G17 Effect of Non-audit Role on the IT Audit and Assurance
ProfessionalsIndependence
G18IT Governance
G19 Irregularities and Illegal Acts 1 J uly 2002. Withdrawn 1 September
2008
G20Reporting
G21EnterpriseResourcePlanning(ERP) SystemsReview
G22Business-to-consumer (B2C) E-commerceReview
G23SystemDevelopment LifeCycle(SDLC) ReviewReviews
G24Internet Banking
G25Reviewof Virtual PrivateNetworks
G26BusinessProcessReengineering(BPR) Project Reviews
G27MobileComputing
G28Computer Forensics
G29Post-implementationReview
G30Competence
G31Privacy
G32 Business Continuity Plan (BCP) Review From It
Perspective
G33General ConsiderationsontheUseof theInternet
G34Responsibility, AuthorityandAccountability
G35Follow-upActivities
G36BiometricControls
G37ConfigurationManagement Process
G38AccessControls
G39IT Organization
G40Reviewof SecurityManagement Practices
G41ReturnonSecurityInvestment (ROSI)
G42ContinuousAssurance <<<
ITAuditandAssuranceToolsandTechniques:11
P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and other Malicious Code
P5 Control Risk Self-assessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security AssessmentPenetration Testing and Vulnerability
Analysis
P9 Evaluation of Management Controls Over Encryption
Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)
ITRiskAssessmentQuadrants
Quadrant I (High Risk)
Suggested Action(s):
Mitigate
S
e
n
s
i
t
i
v
i
t
y

R
a
t
i
n
g
Vulnerability Assessment Rating
100%
0%
100%
Quadrant II (Medium Risk)
Accept
Mitigate
Transfer
Quadrant III (Medium Risk)
Accept
Mitigate
Transfer
Quadrant IV (Low Risk)
Accept
Example Risk
Level Assignment
50%
50%
0%
ISACA Auditing Procedures
Procedures developed by the ISACA Standards
Board provide examples.
The IS auditor should apply their own professional
judgment to the specific circumstances.
(Index of Procedures)
InternalControl(continued)
InternalControls
Policies, procedures, practices and
organizational structures implemented to
reduce risks
ComponentsofInternalControlSystem
Internalaccountingcontrols
Operationalcontrols
Administrativecontrols
InternalControlObjectives
Safeguardingofinformationtechnologyassets
Compliancetocorporatepoliciesorlegalrequirements
Authorization/input
Accuracyandcompletenessofprocessingoftransactions
Output
Reliabilityofprocess
Backup/recovery
Efficiencyandeconomyofoperations
Classification ofInternalControls
Preventive controls
Detective controls
Corrective controls
IS ControlObjectives
Control objectives in an information
systems environment remain unchanged
from those of a manual environment.
However, control features may be different.
The internal control objectives, thus need,
to be addressed in a manner specific to IS
related processes
IS Control Objectives (contd)
Safeguarding assets
Assuring the integrity of general operating system
environments
Assuring the integrity of sensitive and critical
application systemenvironments through:
Authorization of the input
Accuracy and completeness of processing of
transactions
Reliability of overall information processing activities
Accuracy, completeness and security of the output
Database integrity
Ensuring the efficiency and effectiveness of operations
Complying with requirements, policies and procedures, and
applicable laws
Developing business continuity and disaster recovery plans
Developing an incident response plan
COBIT
Aframeworkwith 34highlevelcontrolobjectives
Planningandorganization
Acquisitionandimplementation
Deliveryandsupport
Monitoringandevaluation
Useof36majorITrelatedstandardsandregulations
General ControlProcedures(continued)
apply to all areas of an organization and include
policies and practices established by management to
provide reasonable assurance that specific objectives
will be achieved.
General ControlProcedures(continued)
Internal accounting controls directed at accounting
operations
Operational controls concerned with the daytoday
operations
Administrative controls concerned with operational
efficiency and adherence to management policies
Organizational logical security policies and procedures
Overall policies for the design and use of documents and
records
Procedures and features to ensure authorized access to
assets
Physical security policies for all data centers
ISControlProcedures
Strategy and direction
General organization and management
Access to data and programs
Systems development methodologies and change control
Data processing operations
Systems programming and technical support functions
Data processing quality assurance procedures
Physical access controls
Business continuity/disaster recovery planning
Networks and communications
Database administration
Internal Control (continued)
DefinitionofAuditing
Systematic process by which a competent,
independent person objectively obtains and
evaluates evidence regarding assertions about an
economic entity or event for the purpose of forming
an opinion about and reporting on the degree to
which the assertion conforms to an identified set of
standards.
DefinitionofISAuditing
Any audit that encompasses review and
evaluation (wholly or partly) of automated
information processing systems, related non
automated processes and the interfaces
between them.
Classificationofaudits:
Financialaudits
Operationalaudits
Integratedaudits
Administrativeaudits
Informationsystemsaudits
Specializedaudits
Forensicaudits
AuditPrograms
Basedonthescopeandtheobjectiveofthe
particularassignment
ISauditorsperspectives
Security(confidentiality,integrityandavailability)
Quality(effectiveness,efficiency)
Fiduciary(compliance,reliability)
ServiceandCapacity
Generalauditprocedures
Understandingoftheauditarea/subject
Riskassessmentandgeneralauditplan
Detailedauditplanning
Preliminaryreviewofauditarea/subject
Evaluatingauditarea/subject
Compliancetesting
Substantivetesting
Reporting(communicatingresults)
Followup
Proceduresfortesting& evaluatingIS controls
Use of generalized audit software to survey the contents of
data files
Use of specialized software to assess the contents of
operating system parameter files
Flowcharting techniques for documenting automated
applications and business process
Use of audit reports available in operation systems
Documentation review
Observation
AuditMethodology
Asetofdocumentedauditproceduresdesignedto
achieveplannedauditobjectives
Composedof
Statementofscope
Statementofauditobjectives
Statementofworkprograms
Setupandapprovedbytheauditmanagement
Communicatedtoallauditstaff
Typical audit phases
1. Audit subject
Identify the area to be audited
2. Audit objective
Identify the purpose of the audit
3. Audit scope
Identify the specific systems, function or unit of the
organization
Typical audit phases (Contd)
4. Pre-audit planning
Identify technical skills and resources needed
Identify the sources of information for test or
review
Identify locations or facilities to be audited
Typicalauditphases (Contd)
5. Audit procedures and steps for data gathering
Identify and select the audit approach
Identify a list of individuals to interview
Identify and obtain departmental policies, standards
and guidelines
Develop audit tools and methodology
Typicalauditphases (Contd)
6.Proceduresforevaluatingtest/review result
7.Proceduresfor communication
8.Auditreportpreparation
Identifyfollowupreviewprocedures
Identifyprocedurestoevaluate/testoperational efficiencyand
effectiveness
Identifyprocedurestotestcontrols
Reviewandevaluatethesoundnessofdocuments,policiesand
procedures.
Typical Audit Phases Summary
Identify
the area to be audited
the purpose of the audit
the specific systems, function or unit of
the organization to be included in the
review.
technical skills and resources needed
the sources of information for tests or
review such as functional flowcharts,
policies, standards, procedures and prior
audit work papers.
locations or facilities to be audited.
select the audit approach to verify and test
the controls
list of individuals to interview
obtain departmental policies, standards
and guidelines for review
Develop
audit tools and methodology to test and
verifycontrol
procedures for evaluating the test or
reviewresults
procedures for communication with
management
Identify
follow-upreviewprocedures
procedures to evaluate/test operational
efficiencyandeffectiveness
procedurestotest controls
Review and evaluate the soundness of
documents, policies and procedures
WorkPapers(WPs)(Contd)
What are documented in WPs?
Audit plans
Audit programs
Audit activities
Audit tests
Audit findings and incidents
WorkPapers
Donothavetobeonpaper
Mustbe
Dated
Initialized
Pagenumbered
Relevant
Complete
Clear
Selfcontainedandproperlylabeled
Filedandkeptincustody
FraudDetection
Managements responsibility
Benefits of a welldesigned internal control system
Deterring frauds at the first instance
Detecting frauds in a timely manner
Fraud detection and disclosure
Auditors role in fraud prevention and detection
AuditRisk
Audit risk is the risk that the
information/financial report may
contain material error that may go
undetected during the audit.
A riskbased audit approach is used to
assess risk and assist with an IS auditors
decision to perform either compliance
or substantive testing.
AuditRisks
Inherentrisk
Controlrisk
Detectionrisk
Overallauditrisk
RiskbasedApproach Overview
GatherInformationandPlan
ObtainUnderstandingofInternalControl
PerformComplianceTests
PerformSubstantiveTests
ConcludetheAudit
Materiality
An auditing concept regarding the importance of an
item of information with regard to its impact or
effect on the functioning of the entity being audited
RiskAssessmentTechniques
Enables management to effectively allocate limited
audit resources
Ensures that relevant information has been obtained
Establishes a basis for effectively managing the audit
department
Provides a summary of how the individual audit
subject is related to the overall organization and to
business plans
AuditObjectives
ItistheSpecificgoalsoftheaudit
Compliancewithlegal&regulatory
requirements
Confidentiality
Integrity
Reliability
Availability
Compliancevs.SubstantiveTesting
Compliance test
determines whether controls are in compliance with
management policies and procedures
Substantive test
tests the integrity of actual processing
Correlation between the level of internal controls and
substantive testing required
Relationship between compliance and substantive
tests
Evidence
It is a requirement that the auditors
conclusions must be based on sufficient,
competent evidence.
Independence of the provider of the
evidence
Qualification of the individual providing the
information or evidence
Objectivity of the evidence
Timing of evidence
Techniquesforgatheringevidence:
ReviewISorganizationstructures
ReviewISpolicies andprocedures
ReviewISstandards
ReviewISdocumentation
Interviewappropriatepersonnel
Observeprocessesandemployeeperformance
InterviewingandObservingPersonnel
Actualfunctions
Actualprocesses/procedures
Securityawareness
Reportingrelationships
Sampling(continued)
General approaches to audit sampling:
Statistical sampling
Nonstatistical sampling
Methods of sampling used by auditors:
Attribute sampling
Variable sampling
Sampling(continued)
Attributesampling
Stoporgosampling
Discoverysampling
Variablesampling
Stratifiedmeanperunit
Unstratified meanperunit
Differenceestimation
Confidentcoefficient
Levelofrisk
Precision
Expectederrorrate
Samplemean
Samplestandarddeviation
Tolerableerrorrate
Populationstandarddeviation
Statistical sampling terms:
Keystepsinchoosingasample
Determinetheobjectivesofthetest
Definethepopulationtobesampled
Determinethesamplingmethod,suchasattribute
versusvariablesampling.
Calculatethesamplesize
Selectthesample
Evaluatingthesamplefromanauditperspective.
ComputerAssistedAuditTechniques.Contd.
CAATs enable IS auditors to gather
information independently
CAATs include:
Generalized audit software (GAS)
Utility software
Test data
Application software for continuous online
audits
Audit expert systems
NeedforCAATs
Evidencecollection
Functionalcapabilities
Functionssupported
Areasofconcern
ExamplesofCAATsusedtocollectevidence
CAATSasacontinuousonlineapproach
AdvantagesofCAATs
Cost/benefitsofCAATs
DevelopmentofCAATs
Documentationretention
Accesstoproductiondata
Datamanipulation
Evaluation of Strengths and Weaknesses
Assessevidence
Evaluateoverallcontrolstructure
Evaluatecontrolprocedures
Assesscontrolstrengthsandweaknesses
JudgingMaterialityofFindings
Materialityisakeyissue
Assessmentrequiresjudgmentofthe
potential effectofthefindingifcorrective
actionisnot taken
CommunicatingAuditResults
Exitinterview
Correctfacts
Realisticrecommendations
Implementationdatesforagreedrecommendations
Presentationtechniques
Executivesummary
Visualpresentation
Auditreportstructureandcontents
An introduction to the report
The IS auditors overall conclusion and opinion
The IS auditors reservations with respect to the audit
Detailed audit findings and recommendations
A variety of findings
Limitations to audit
Statement on the IS audit guidelines followed
ManagementActionstoImplementRecommendations
Auditingisanongoingprocess
Timingoffollowup
AuditDocumentation
Contentsofauditdocumentation
Custodyofauditdocumentation
Supportoffindingsandconclusions
ConstraintsontheConductoftheAudit
Availabilityofauditstaff
Auditee constraints
ProjectManagementTechniques
Developadetailedplan
Reportprojectactivityagainsttheplan
Adjusttheplan
Takecorrectiveaction
ControlSelfAssessment(CSA),Contd.
Amanagementtechnique
Amethodology
Inpractice,aseriesoftools
ImplementationofCSA
Facilitatedworkshops
Hybridapproach
ControlSelfAssessment(CSA),Contd.
ControlSelfAssessment
Benefits of CSA
Disadvantages of CSA
Objectives of CSA
Enhancement of audit responsibilities (not a
replacement)
Education for line management in control
responsibility and monitoring
Empowerment of workers to assess the control
environment
ControlSelfAssessment
ISAuditorsRoleinCSAs
TechnologyDrivers forCSAProgram
Traditionalvs.CSAApproach
EmergingChangesinISAuditProcess
NewTopics:
AutomatedWorkPapers
IntegratedAuditing
ContinuousAuditing
AutomatedWorkPapers
Riskanalysis
Auditprograms
Results
Testevidences,
Conclusions
Reportsandothercomplementaryinformation
Automated Work Papers(Contd)
AutomatedWorkPapers
Controlsoverautomatedworkpapers:
Accesstoworkpapers
Audittrails
Approvalsofauditphases
Securityandintegritycontrols
Backupandrestoration
Encryptionforconfidentiality
IntegratedAuditing
IntegratedAuditing
process whereby appropriate audit disciplines are
combined to assess key internal controls over an operation,
process or entity
Focuses on risk to the organization (for an internal
auditor)
Focuses on the risk of providing an incorrect or
misleading audit opinion (for external auditor
IntegratedAuditing Typicalprocess:
Identification of relevant key controls
Reviewand understanding of the design of key controls
Testing that key controls are supported by the IT
system
Testing that management controls operate effectively
A combined report or opinion on control risks, design
and weaknesses
ContinuousAuditing
ContinuousAuditing
Continuous Auditing: A methodology that
enables independent auditors to provide written
assurance on a subject matter using a series of
auditors reports issued simultaneously with, or a
short period of time after, the occurrence of events
underlying the subject matter
Distinctive character
short time lapse between the facts to be audited and
the collection of evidence and audit reporting
Drivers
better monitoring of financial issues
allowing realtime transactions to benefit from real
time monitoring
preventing financial fiascoes and audit scandals
using software to determine proper financial controls
ContinuousAuditingvs.ContinuousMonitoring
ContinuousMonitoring
Managementdriven
Basedonautomatedproceduresto meetfiduciary
responsibilities
ContinuousAuditing
Auditdriven
Doneusingautomatedauditprocedures
ContinuousAuditingEnablerfortheApplication
ofContinuousAuditing
New information technology developments
Increased processing capabilities
Standards
Artificial intelligence tools
Transactionlogging
Querytools
Statisticsanddataanalysis(CAAT)
Databasemanagementsystems(DBMS)
Datawarehouses,datamarts,datamining.
Artificialintelligence(AI)
Embeddedauditmodules(EAM)
Neuralnetworktechnology
StandardssuchasExtensibleBusinessReporting
Language
IT Techniques in a Continuous Auditing Environment
A high degree of automation
An automated and reliable informationproducing process
Alarm triggers to report control failures
Implementation of automated audit tools
Quickly informing IS auditors of anomalies/errors
Timely issuance of automated audit reports
Technically proficient IS auditors
Availability of reliable sources of evidence
Adherence to materiality guidelines
Change of IS auditors mindset
Evaluation of cost factors
ContinuousAuditing Prerequisites
(ContinuousAuditing)
Advantages
Instant capture of internal control problems
Reduction of intrinsic audit inefficiencies
Disadvantages
Difficulty in implementation
High cost
Elimination of auditors personal judgment and
evaluation
Practice Question
PracticeQuestions(contd.)
11 Which of the following BEST describes the early
stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable to
the review
D. Reviewing prior IS audit reports
11C: Understanding the business process
and environment applicable to the review is
most representative of what occurs early on
in the course of an audit. The other choices
relate to activities actually occurring within
this process.
Answer
12 In performing a riskbased audit, which risk
assessment is completed initially by the IS auditor?
A.Detectionriskassessment
B.Controlriskassessment
C.Inherentriskassessment
D.Fraudriskassessment
12C: Inherent risks exist independently of
an audit and can occur because of the nature
of the business. To successfully conduct an
audit, it is important to be aware of the
related business processes. To perform the
audit the IS auditor needs to understand the
business process, and by understanding the
business process, the IS auditor better
understands the inherent risks.
Answer
13 While developing a riskbased audit program, on
which of the following would the IS auditor MOST likely
focus?
A. Business processes
B. Critical IT applications
C. Operational controls
D. Business strategies
13A: A riskbased audit approach focuses
on the understanding of the nature of the
business and being able to identify and
categorize risk. Business risks impact the
longterm viability of a specific business.
Thus, an IS auditor using a riskbased audit
approach must be able to understand
business processes.
Answer
14 Which of the following types of audit risk assumes
an absence of compensating controls in the area being
reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
14C: The risk of an error existing that could be
material or significant when combined with other
errors encountered during the audit, there being no
related compensating controls, is the inherent risk.
Control risk is the risk that a material error exists that
will not be prevented or detected in a timely manner by
the system of internal controls. Detection risk is the
risk of an IS auditor using an inadequate test procedure
that concludes that material errors do not exist, when
they do. Sampling risk is the risk that incorrect
assumptions are made about the characteristics of a
population fromwhich a sample is taken.
Answer
15 An IS auditor performing a review of an application's controls
finds a weakness in system software that could materially impact
the application. The IS auditor should:
A. disregard these control weaknesses since a system software review is
beyond the scope of this review.
B. conduct a detailed system software review and report the control
weaknesses.
C. include in the report a statement that the audit was limited to a review
of the application's controls.
D. review the system software controls as relevant and recommend a
detailed system software review.
15D: The IS auditor is not expected to ignore control
weaknesses just because they are outside the scope of a
current review. Further, the conduct of a detailed
systems software review may hamper the audit's
schedule and the IS auditor may not be technically
competent to do such a review at this time. If there are
control weaknesses that have been discovered by the IS
auditor, they should be disclosed. By issuing a
disclaimer, this responsibility would be waived. Hence,
the appropriate option would be to review the systems
software as relevant to the review and recommend a
detailed systems software review for which additional
resources may be recommended.
Answer
16 The PRIMARY use of generalized audit
software (GAS) is to:
A. test controls embedded in programs.
B. test unauthorized access to data.
C. extract data of relevance to the audit.
D. reduce the need for transaction vouching.
16C: Generalized audit software facilitates direct access to
and interrogation of the data by the IS auditor. The most
important advantage of using GAS is that it helps in
identifying data of interest to the IS auditor. GAS does not
involve testing of application software directly. Hence, GAS
indirectly helps in testing controls embedded in programs
by testing data. GAS cannot identify unauthorized access to
data if this information is not stored in the audit log file.
However, this information may not always be available.
Hence, this is not one of the primary reasons for using GAS.
Vouching involves verification of documents. GAS could
help in selecting transactions for vouching. Using GAS does
not reduce transaction vouching.
Answer
17WhichofthefollowingisMOSTeffectivefor
implementingacontrolselfassessment(CSA)
withinbusinessunits?
A.Informalpeerreviews
B.Facilitatedworkshops
C.Processflownarratives
D.Dataflowdiagrams
17B: Facilitated workshops work well
within business units. Process flow
narratives and data flow diagrams would not
be as effective since they would not
necessarily identify and assess all control
issues. Informal peer reviews similarly would
be less effective for the same reason.
Answer
18 The FIRST step in planning an audit is to:
A. define audit deliverables.
B. finalize the audit scope and audit objectives.
C. gain an understanding of the business'
objectives.
D. develop the audit approach or audit strategy.
18C: The first step in audit planning is to
gain an understanding of the business's
mission, objectives and purpose, which in
turn identifies the relevant policies,
standards, guidelines, procedures, and
organization structure. All other choices are
dependent upon having a thorough
understanding of the business's objectives
and purpose.
Answer
19TheapproachanISauditorshouldusetoplanIS
auditcoverageshouldbebasedon:
A.risk.
B.materiality.
C.professionalskepticism.
D.sufficiencyofauditevidence.
19A: Standard S5, Planning, establishes
standards and provides guidance on
planning an audit. It requires a riskbased
approach.
Answer
PracticeQuestions
IlO A company performs a daily backup of critical
data and software files, and stores the backup tapes at
an offsite location. The backup tapes are used to restore
the files in case of a disruption. This is a:
A. preventive control.
B. management control.
C. corrective control.
D. detective control.
110C: A corrective control helps to correct or minimize the
impact of a problem. Backup tapes can be used for restoring
the files in case of damage of files, thereby reducing the
impact of a disruption. Preventive controls are those that
prevent problems before they arise. Backup tapes cannot be
used to prevent damage to files and hence cannot be
classified as a preventive control. Management controls
modify processing systems to minimize a repeat occurrence
of the problem. Backup tapes do not modify processing
systems and hence do not fit the definition of a management
control. Detective controls help to detect and report
problems as they occur. Backup tapes do not aid in detecting
errors.
Answer
Question
&
Answer

Auditing Information Systems Process

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Information Systems Process

Uploaded by

Copyright:

Available Formats

Mohammad Tohidur Rahman Bhuiyan

You might also like